PGP Questions

Hello all,
I am a newbie at PGP and have a few questions and am not sure which zone to put this question under.
I know that in a HIPAA compliant environment you want to have PGP on both the client and the server in a LAN area so that communication between the client and the server is encrypted.
My questions, for a HIPAA facility, are:
1) Does PGP create an overhead on the PCs that makes the PCs slow?
2) I know that Symantec has PGP software. Are there any other PGP software out there that works well?
3) What if you have a client that just has PCs with no file server on their LAN, does PGP software work the same and is it worth it to have it on those PCs?
Thanks,
Kelly W.

PGP has a suite of encryption tools, PGP started out doing encrypted emails, PGP does not do network encryption itself, it encrypts the data in an email before being sent. Encrypted network communications are typically done via tunneling, vpn or using dedicated encryption gateways. If you send a PGP email to someone without a PGP client, they will not be able read the encrypted email. Emails can also be signed with a hash that can be used to verify if the message has been tampered with, but does not prevent anyone from reading it.
There are other encryption suites and solutions, Cisco has an encrypted email solution that is superior to pgp in that it does not require the exchange of public keys, and it does not require an email client or 3rd party software to understand any encryption. http://www.ironport.com/
Even if using whole disk encryption, if you copy a file to a server that does not have encryption the file is plain-text/not-encrypted when sent to it's destination, this also applies technically when sending between two computers that do have disk encryption... the data on the wire is plain-text, but is written to the disc as encrypted data.
-rich

We know that for HIPPA, one of the key factor is protecting the confidentiality and integrity of users' medical information. Simply see the security mechanisms needed to guard against unauthorized access to data by requiring integrity controls and message authentication with required access controls and/or encryption. For medical data transmitted over a network (which is increasingly common), it apply similarly and needed more event reporting, audit trails, and entity authentication. With that quick brief, we can look at a snapshot of PGP (bought over by Symantec) offerings in this comparison table

- The suite primarily involved encryption/decryption which you can see as additional process for data at rest, data at transit and data in progress. There will definitely be some latency for embedding security processes, but the question how impactful to business operations. I will say that crypto algo used such as AES has gone through round of debate to emerge as one of the secure and efficient mechanism widely used by most product. The performance will not be much in crypto algo but more on how the application leveraging it is coded and designed. Taking full HDD encryption as example, there is an one-off installation and encryption that would take a while depending on HDD size. There is also the implicit business impact when system crashes and needed recovery of crypto key that is backup, these add up "delays" but as a whole, if it well planned, it will be part of business continuity plans and for daily used, the crypto operation is transparent to user - they improved (or compete) on the user experience as well.

2) I know that Symantec has PGP software. Are there any other PGP software out there that works well?

- There is the well known Truecrypt that you should check out, the (probably) only major deterrence is the Enterprise support for centralised managed. If not, it has been around and fulfil the full HDD encryption, and provide portable and on the fly support. There is a file volume encryption for pre-allocated secure storage mapping so that all data reside in there (if user has discipline for that). Of course it is not that perfect since it is free source e.g. it does not perform file encryption etc.

- Other solution you may want to explore in IT security space, you can check out the link summary. you may want to explore commercial player such as McAfee Endpoint Encryption, Check Point Full Disk Encryption and even Microsoft has Bitlocker (HDD encryption) and its EFS (file/folder encryption). But note that EFS does not protect information over network (only at endpoint), unless using WebDAV

3) What if you have a client that just has PCs with no file server on their LAN, does PGP software work the same and is it worth it to have it on those PCs?

- Yes it work the same way. Endpoint go for whole harddisk encryption, and for server, it is the channel encryption and multi-user sharing that we are concern, that can be handled by NetShare and the Enterprise suite. Typically it need to be a defense in depth with layer of protection established to secure the information - hence that is why the term of data at rest, data in transit and data in progress (memory).

Featured Post

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.